Linux on Linksys Wi-Fi Routers

Hacking this reliable, inexpensive platform can be your first step to a successful wireless project. Chain access points together to cover a wide area, crank up the power level, get more working space in Flash memory and more.

Adding Secure Shell (SSH)

One enterprising individual ported the entire OpenSSH toolchain to the
Linksys box. Unfortunately, the size of the OpenSSH binary means that
many standard Linksys functions must be removed to make room. Plus, the
resulting RAM requirements are at the limits of available memory.
What is needed is an SSH server with a small memory footprint, and the
Dropbear server fits the bill nicely. Matt Johnson designed the Dropbear
SSH dæmon specifically to run in memory-constrained systems such as
the Linksys.

The standard Linksys Linux implementation lacks many of the normal
files needed for multiuser Linux systems. Two of these—passwd and
groups in the /etc directory—are required by the vast majority of
Linux applications. In order to run the Dropbear server, we need to add
these files to the Flash build.

By creating a passwd file with a root entry and no password and a matching
groups file, we can make Dropbear almost happy enough to run. These files are
copied to the /etc directory of the Flash image and are read-only
on the Linksys.

When running, Dropbear also needs to access a private key that is used for
SSH handshaking and authentication, as well as a known_hosts file containing
the public keys of approved client machines. Generating the private key
with the dropbearkey program is a snap, but storing it on the Linksys is
a bit trickier.

The WRT54G contains a hash map of key name and value pairs located in
nonvolatile storage called nvram. The bundled nvram utility and API
allows us to read and write to this memory area. The Dropbear private
key and our public key ID from id_rsa.pub in our home .ssh directory
are stored in nvram and copied to /var in the RAM disk on system start.

We compile Dropbear with support for key-file authorization and now have
a secure way to log in to the Linksys. If you need password login, the
Dropbear code can be patched to read the system password from nvram
and to add the ability for password logins as well.

Increasing Flash Memory Compression

After adding such utilities as SSH and telnetd, you soon find your
Linksys firmware image bumping the limits of the Flash storage space on
the device. What you need is a filesystem with better compression than
cramfs offers, one that is compatible with the Linksys Linux kernel.

The default cramfs filesystem compresses data in 4K blocks, but compressing
on 4K boundaries limits the compression ratios that can be achieved. If
we could find a filesystem that compressed larger blocks of data but
mapped correctly to the page size in the OS, we would be able to
put far more data and applications in the firmware.

Phillip Lougher's squashfs filesystem compresses in 32K blocks and is
compatible with the 2.4 and 2.6 kernels. If we could move the Linksys
firmware from cramfs to squashfs, we might have enough room for a VPN client
and server in the system.

The Linksys kernel is a customized 2.4.20 source tree modified by
Broadcom. Broadcom is a leading 802.11g chip maker and is responsible for
the CPU and radio chips in the WRT54G. The squashfs tar file contains
patches for the 2.4.20 through 2.4.22 kernels. Unfortunately, none of these
applies cleanly to the Broadcom kernel tree, so a bit of hand editing
is necessary. The patch with the fewest errors is the 2.4.22 version,
which misses only one hunk when applied. By reading the patch file and
finding the missing hunk, you can patch the missing code manually. You
also can find a WRT54G-specific squashfs patch on the Sveasoft Web site.

The Linksys WRT54G Source Tree

When you unpack the GPL source from Linksys, a directory structure is created below the main
WRT54G subdirectory. Here is an explanation of
the important parts.

The main tarball directory is /WRT54G.
The main Makefile lives in /release/src. After unpacking
the source, read the README file here for instructions
on how to compile it.

All of the applications packaged with the Linksys unit
are built from /release/src/router. If you want to add applications, do
it here and modify the Makefile in this directory.
This Linux kernel source tree has been modified by
Broadcom, the manufacturer of the wireless chips and
CPU in the WRT54G. Add your kernel modifications or
patches here, /release/src/linux/linux.

You need to create a symlink from /opt to the brcm
directory here, /tools/brcm. Two of the subdirectories under brcm
must be added to your PATH. See the README file
above for more information.

Patches and updated source code can be downloaded
from Sveasoft. See Resources for
more information.

The next step is to edit the Broadcom kernel startup code and add a
check for squashfs. The do_mount.c file contains nearly identical code
and can be used as a guide when patching the startup.c file in the
arch/mips/brcm-boards/bcm947xx subdirectory.

After patching the kernel, the router Makefile must be patched to
generate a squashfs image and the Linux kernel configuration must be
set to include squashfs support.

This is well worth the effort, however. On recompile you should find some
500K free bytes, compared to the stock cramfs filesystem.

You need an ethernet cable punched through the wall and ran across your yard. connect the ethernet cable to a switch in your house and you are good to go. Physics dictates that you won't be able to send a good signal through your faraday cage, uh, I mean metal shed. :-p